Sophisticated Hacker Group Strikes for Profit, Not Politics

A Shadowy hacking group has made its presence felt in recent months, going after large corporate targets like Facebook, Twitter, Microsoft, and Apple. It is a story that has become depressingly familiar. But, in a new development, Symantec said this group of hackers is motivated not by politics or terrorism, but by greed.

The hacker collective, which Symantec labeled Morpho in a report released Wednesday, has been stealing confidential information and intellectual property from companies for the last three years, targeting firms in the IT, Internet, software, pharmaceutical, and commodities sectors. According to Symantec, the group uses advanced techniques and is well funded.

Smarter Than the Average Hacking Collective

“The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks,” Symantec said in the report. Morpho is also smart — the group keeps a low profile and maintains good operational security. After successfully compromising a target organization, it will clean up after itself before moving on to its next target.

That makes its activities much harder for authorities to track, and elevates its threat level far above that of the average cybercrime operation. Instead of looking to steal credit card information or customer databases, the group goes after high-level corporate information. The group may be selling the valuable intel it steals from companies to the highest bidder, or it could be operating as a “hacker for hire,” according to Symantec. The stolen information could also be destined for insider trading purposes.

American companies have so far been the most popular victims for Morpho, with at least 17 companies attacked in the U.S. Meanwhile, 12 European and four Canadian companies have also been targeted. In total, 49 companies have been attacked by Morpho in more than 20 countries.

‘All Your Base Are Belong to Us’

The first indications of Morpho’s activities came in 2013, when several major technology and Internet firms reported that their security had been compromised by similar penetration techniques. The attackers infected victims by compromising Web sites used by mobile developers and using a Java zero-day exploit to infect them with malware. The hackers used a backdoor attack for the Mac OS X called OSX.Pintsized and a Windows backdoor called Backdoor.Jiripbot.

The publicity that the attacks generated seemed to cause the group to go dark for a while. But Morpho has not remained silent. On the contrary, Symantec said it found evidence that the group had, in fact, been active since at least March 2012. Not only is the group continuing its attacks today, but the security firm said Morpho is actually growing more active.

Almost as unnerving as Morpho’s habit of targeting enterprise assets is its familiarity with the inner workings of its victims. The group has successfully compromised commonly used e-mail servers such as Microsoft Exchange and Lotus Domino, according to Symantec. It has also targeted enterprise content management systems, where it could have gained access to valuable documents such as financial records, product descriptions, and legal documents.

And unlike attacks by other hacker groups suspected of working for the Chinese, Russian, or North Korean governments, Morpho’s malware tools are well documented in fluent English. The group has also referenced popular English-language memes, such as “All Your Base Are Belong to Us,” indicating that at least some members are fluent English speakers with a deep understanding of the cultures of the countries they target.